What Does DORA Mean for your Business?

The Digital Operational Resilience Act (DORA) is now in operation, yet some companies are still scrambling to put compliance procedures in place. One report in January estimated that 43% of the UK financial services industry would miss the deadline and 20% expect to miss the deadline by at least four months.

The response to the legislation has been a mix of apprehension, due to regulatory scrutiny and fear of fines (up to 2% of annual turnover), along with some optimism from those willing to leverage DORA for competitive advantage.

The financial service industry is no stranger to regulation. Every business understands the need to have secure cybersecurity policies, but as the risk of new cyber threats grows, legislation has to evolve to ensure companies meet minimum requirements.

While the EU’s Digital Operational Resilience Act (DORA) came into force in 2023, the law has only applied from 17th January 2025. The fundamental objective of the legislation is to strengthen the financial sector in the face of ICT risks and cyber threats. To meet this aim, DORA legislation covers five key pillars:

• ICT risk management and governance
• ICT third-party risk management
• Digital operational resilience testing
• The reporting of ICT-related incidents
• Information sharing

DORA states that financial entities must address ‘any reasonably identifiable’ IT risks that can compromise enterprise networks. Significantly, while DORA is there to mostly to boost cyber resilience in the financial sector, it will also apply to third-party IT service providers, so it will impact on IT roles and tech companies. Management must define, approve, oversee and be accountable for all processes relating to IT risk and will bear responsibility for managing this risk.

There will need to be thorough scrutiny of the IT supply chain. Financial organisations may only partner with third-party IT providers that comply with stringent cybersecurity practices and conform with global standards, such as DMARC. For some companies, this may mean putting in place exit strategies with providers.

In practice, the legislation poses four basic questions for CISO/CIOs:

• Is the threat known and understood?
• Is the source credible?
• Are the tools there and sufficient to meet the threat?
• Are the solutions approved by expert sources?

Based on the answers given to these questions, financial entities may need to update systems, protocols and tools.

If an ICT breach occurs, it can spread from one system or company to another. DORA has been developed to ensure organisations fully understand the nature of their connections to third parties and to be able to isolate them if need be.

To comply, companies must continuously review and manage their exposure to risk. As part of this they should look at the tools and methodologies needed to manage that risk.

Companies that fall short could face financial penalties of up to 2% of total annual worldwide turnover, or 1% of average daily turnover worldwide. Third-party ICT service providers could incur even higher fines up to €5 million.

Regardless of the penalties, every business needs to put safeguards in place to protect against ICT risks and cyber threats. DORA represents an opportunity for organisations to not only enhance their security stance, but also to embrace the latest automation and security tools to gain insights that can bring additional benefits while securing long-term security and integrity of the organisation.

And, of course, businesses that take steps to address cyber threats will be more attractive to clients and investors.

To secure transformative solutions that can help your organisation stay safe, secure and compliant, talk to a representative at DigitalWell.